CYBERSPACE: THE FIFTH DIMENSION OF WARFARE – PART II

- Lt Gen (Dr) R S Panwar

Introduction
The dimensions of warfare have evolved over the centuries from Land and Sea to encompass
Air and Outer Space in the 20th Century. While land is integral to a nation, occupied and
defended, sea and air are common pool resources that are sought to be dominated even beyond
own territory. The decade of the sixties saw the emergence of space as the new arena of
competition, with the proliferation of satellites and missiles driving the cold war. Technological
developments have driven lethality, range and speed in all four domains to their maximum limits.
With the heavy dependence on networks in the 21st Century, Cyberspace has emerged as the
fifth dimension of warfare, with critical importance for the projection of military force.
In the previous part of this two-piece write-up, the emergence of Cyberspace as an operational
domain of warfare, as well as the types and classifications of cyber-attacks/ cyberwar were
discussed. In this follow-up part, some real-world examples of cyberwar over the past decade
will be described, and certain doctrinal aspects related to offensive cyberwar strategies as well
as some legal implications of conducting cyberwar will be dwelt upon.

Cyberwar – No Longer “Hype”

Thousands of cyber-attacks occur per day, suggesting great difficulty in distinguishing serious
threats from minor ones. However, there appears to exist a fairly clear distinction between day
to day cyber-crime events and an act of cyberwar. If an adversarial nation launches a
sophisticated, targeted cyber-attack that takes down significant parts of a nation’s critical
infrastructure, the consequences would constitute what we might call a cyberwar. For all
practical purposes, cyberwar engages the nation’s intelligence agencies and active-duty military
in the aggressive defense of its territory, citizens, and resources. Several notable examples exist
of widely accepted instances of cyberwar, which are briefly described in succeeding paragraphs
[1].

Estonian War (2007)

In Apr 2007, the Estonian Government decided to move a Soviet-era war memorial to a location
outside Talinn, its capital. Estonia is considered as one of the most technologically advanced
nations, with a ranking of 24 in the United Nation’s Network Readiness Index, indicating its e-
Governance status as very advanced and Internet dependent. On 20 Apr, this tiny Country was
swamped with cyber-attacks, quickly escalating into a cyberwar like scenario, wherein its banks,
newspapers, news agencies and all government sites were attacked and brought down. The
Distributed Denial of Service (DDoS) attacks using ping floods and botnets, spamming of news
portals commentaries and defacements of government web-sites, left the Country crippled for
the next three weeks or so. Despite being a NATO ally, Estonia could not invoke Article 5 ("attack
one of us, and it’s the same as attacking all of us"), due to lack of definition of "under attack" in
this case and the difficulty in identifying and proving that it was a Kremlin-sponsored attack. In
a strategic sense, the impact of the attacks was significant. They demonstrated the utility of
cyber blockade as a means of coercion, especially when employed in concert with other political,
economic, and information tools. They also served as a wake-up call for NATO, which
subsequently established the Cooperative Cyber Defense Centre for Excellence (CCDCOE) in
Tallinn.

Georgian War (2008)

The Russo-Georgian War of Aug 2008 was a four day long armed conflict between Georgia and
the Russian Federation, resulting in the breakaway of South Ossetia and Abkhazia from
Georgia. Weeks before the physical attacks on Georgia, attacks against Georgia’s Internet
 2
infrastructure began as early as July 2008, with coordinated DDoS attacks that overloaded and
effectively shut down Georgian servers. Although the Russian Government denied the
allegations that it was behind the attacks, stating that it was possible that "individuals in Russia
or elsewhere had taken it upon themselves to start the attacks", it was established that the Saint
Petersburg-based group known as the Russian Business Network (RBN) was behind many of
these cyber-attacks. While the overall impact of the cyberattacks was minimal - Georgia’s IT
infrastructure was limited in 2008, and the Georgian government was eventually able to reroute
most of its traffic through servers in other countries, including the United States, Estonia, and
Poland - it was the first known instance of wide-scale offensive cyber operations being mounted
in conjunction with conventional military operations.

Stuxnet (2010)
In 2010, the Stuxnet computer worm may have accomplished what five years of United Nations
Security Council resolutions could not: disrupt Iran’s pursuit of a nuclear bomb. Stuxnet is
essentially considered the world’s first digital weapon. It was developed by the American and
Israeli governments and used to wreak havoc on an Iranian nuclear facility called Natanz. It
targeted the computer systems used to control the centrifuges used to enrich uranium, and
instructed them to spin the machines out of control. Eventually that force broke the centrifuges.
Over a few years, about 20 percent of Iran’s centrifuges spun out of control and were destroyed.
Stuxnet was the first malware that actually physically destroyed something. In just a few years
since the Stuxnet attack came to light, a lot has changed in the cyber warfare realm, and there
have been other similar attacks that target critical infrastructure of adversary countries [2, 3].

Ukraine (2015)
Through its cyber campaign in 2015, Russia was able to quietly and persistently compromise
the Ukrainian government and military’s ability to communicate and operate, thereby
undermining the legitimacy and authority of Ukrainian political and military institutions. In late
December, 2015, however, Russia appeared to signal its capability and a willingness to expand
its use of offensive cyber operations to achieve kinetic effects by damaging Ukrainian critical
infrastructure. Pro-Russian cyber actors departed from what were basically nuisance attacks
and perpetrated what is believed to be the first cyberattack on another country’s electric power
grid. In an attack that has been widely attributed to Russia, coordinated and synchronized
cyberattacks targeted three separate distribution centres of a Ukrainian power company in
Western Ukraine. Using remote access to control and operate breakers, the attackers took the
distribution centres offline, causing power outages that affected more than 220,000 Ukrainian
residents. The attack would seem to fall under the rubric of information warfare principles, in
that its impact was mainly psychological. It emphasized the ramifications of Kiev’s anti-Russian
policies while undermining the confidence of Ukraine’s citizens in their government.

Cyber Warfare – Offensive Strategies

Armed Forces across the world are undergoing transformation with emerging cross domain
dynamics overlapping with cyberspace. The increasing dependence of the operational
environment on Information and Communication Technologies (ICT) and networks has led to
creation of a complex battlefield in which cyber warfare has a significant role to play. Cyberspace
provides the Armed Forces with unprecedented situational awareness, operational and
organizational agility, influence and the capability to engage the target population from
anywhere on earth. Hence, acquiring and maintaining superiority in cyberspace is of paramount
importance. Offensive cyber operations provide an asymmetric and powerful capability to strike
at the core of a previously uncontested advantage in time and space across a range of military
operations. The need for developing offensive cyber capabilities has, therefore, become an
imperative for any major military power. Possession of such capabilities would enable the
 3
development of cyberspace strategies based on the operational concepts of cyber-deterrence,
offensive defence and offensive cyber operations in a state-level multi-domain military conflict.

Cyber Deterrence
It is often said that, in defence strategies, deterrence precedes protection, resilience and
response. Nuclear deterrence has largely been responsible for a reduction in large-scale
conventional conflicts after World War II. Conventional military capabilities also have significant
deterrence value. Given the ‘non-attributable’ as well as ‘asymmetric’ characteristics of cyber-
attacks, the concept of deterrence in the cyber domain takes on a different flavour, making it a
subject of study by the major players in cyberspace. However, it is fairly evident that there can
be no effective cyber defence strategy based purely on a protection/ resilience/ response
paradigm. In this regard, the connotations and inter-se importance of Deterrence-by-Denial vis-
à-vis Deterrence-by-Retaliation in the cyber domain assumes importance. Clearly, a pre-
requisite for achieving deterrence-by-retaliation is the possession of offensive cyber capabilities
[4].

Offensive Defence
Sometimes termed “Active Defence,” in military operations it is often stated that offence is the
best form of defence. Although both “Deterrence” as well as “Active Defence” need offensive
capabilities, there is a difference in the two concepts, in that the former implies a “force in being”
while the latter involves the actual employment of offensive capabilities. Both involve the
possession and employment of offensive cyber capabilities, which therefore need to be
developed and used to advantage towards protecting our national cyberspace [5].

Offensive Cyber Operations

It has been amply brought out in the preceding discussion that actions taken within cyberspace
can have significant military effects within cyberspace as well as on the other four domains of
conflict as well. With this as a basis, major global powers have already come up with doctrines
enunciating use of offensive cyber capabilities in a multi-domain conflict as a declared national
strategy. Capabilities in tune with these doctrines are being developed at a frenetic pace. The
US Cyber Command achieved initial operational capability in 2010. It is mandated to have 133
Cyber Mission Teams with a total strength of 6200 personnel, over 5000 of which were already
on staff last year and the balance are expected to be made up by next year. A good proportion
of these teams are distributed amongst the geographical commands to be deployed at
operational and tactical levels. In Aug this year, the Cyber Command has been upgraded to a
unified combatant command by the Trump administration. China’s PLA Strategic Support Force,
as per one report, is estimated to have over a lakh personnel. Russia too is known to be very
active on the cyber operations front, under the aegis of FSB. The UK, in its National Cyber
Security Strategy 2016-21, has clearly enunciated the need to develop offensive cyber
capabilities. Thus, the development of doctrines and capabilities for offensive operations in
cyberspace is no longer an option but a necessity.

Cyberwarfare – Legal Implications

There are no clear criteria yet for determining whether a cyberattack is criminal, an act of
hactivism, terrorism, or a nation-state’s use of force equivalent to an armed attack. Likewise, no
international, legally binding instruments have yet been drafted explicitly to regulate inter-state
relations in cyberspace. In September 2012, the US State Department took a public position on
whether cyber activities could constitute a use of force under Article 2(4) of the UN Charter and
customary international law. According to State’s then-legal advisor, Harold Koh, “Cyber
activities that result in death, injury, or significant destruction would likely be viewed as a use of
force.” Examples offered in Koh’s remarks included triggering a meltdown at a nuclear plant,
 4
opening a dam and causing flood damage, and causing airplanes to crash by interfering with air
traffic control. By focusing on the ends achieved rather than the means with which they are
carried out, this definition of cyberwar fits easily within existing international legal frameworks.
If an actor employs a cyber-weapon to produce kinetic effects that might warrant fire power
under other circumstances, then the use of that cyber-weapon rises to the level of the use of
force.
However, there is also a considered view that cyberattacks without kinetic effects are also an
element of armed conflict under certain circumstances. For instance, cyberattacks on
information networks in the course of an ongoing armed conflict would be governed by the same
principles of proportionality that apply to other actions under the law of armed conflict. These
principles include retaliation in response to a cyberattack with a proportional use of kinetic force.
In addition, “computer network activities that amount to an armed attack or imminent threat
thereof” may trigger a nation’s right to self-defense under Article 51 of the UN Charter. In its
2011 International Strategy for Cyberspace, the US affirms that “when warranted, the United
States will respond to hostile acts in cyberspace as we would to any other threat to our country.”
The International Strategy goes on to say that the US reserves the right to use all means
necessary—diplomatic, informational, military, and economic—as appropriate and consistent
with applicable law, and exhausting all options before military force whenever possible.

Conclusion
In this write-up, it has been brought out that Cyberspace has emerged as the fifth dimension of
warfare in addition to land, sea, air and space. While the latter four are physical domains,
Cyberspace lies in the Information domain. In order to prevent our information infrastructure
from being adversely affected during any future conflict, there is an urgent requirement to have
comprehensive organizations not only at national level but at tri-services and individual services
levels as well. Failure to adapt to this new domain of warfare will tilt the balance in favour of
adversaries in future wars.

References
[1] Michael Connell and Sarah Vogel, Russia’s Approach to Cyber Warfare, CNA Occasional
Paper, Mar 2017, pp. 13, 17, 19, Accessed 28 Sep 2020,
https://www.cna.org/CNA_files/PDF/DOP-2016-U-014231-1Rev.pdf.
[2] Jo Lauder, Stuxnet: The Real Life Sci-Fi Story of ‘the World’s First Digital Weapon, 12
Oct 2016, Accessed 28 Sep 2020, http://www.abc.net.au/triplej/programs/hack/the-worlds-first-
digital-weapon-stuxnet/7926298.
[3] Kenneth Geers, Strategic Cyber Security, NATO Cooperative Cyber Defence Centre of
Excellence, 2011, pp. 13, Accessed 28 Sep 2020,
https://ccdcoe.org/uploads/2018/10/2011_Proceedings_0-1.pdf.
[4] Martin Libicki, Cyberdeterrence and Cyberwar, Proj AF, 2009, RAND, Accessed 28 Sep
20, https://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf.
[5] Lt Gen (Dr) R S Panwar, Strategic Thinking for Security - Defending the National
Cyberspace – Part II, 28 Jan 2018, NASSCOM-DSCI, Accessed 28 Sep 2020,
https://www.dsci.in/blogs/strategic-thinking-for-cyberspace-security-part-ii/.